To turn off security defaults in Office 365 (now part of Microsoft 365 and leveraging Microsoft Entra ID), you can access the settings through the Microsoft 365 admin center and disable them directly. Disabling security defaults allows for more granular control over security policies, often through Conditional Access, but should only be done if you have an alternative, robust security strategy in place.
Step-by-Step Guide to Disable Security Defaults
Follow these instructions to disable security defaults for your organization:
- Log in to the Microsoft 365 admin center: Open your web browser and navigate to the Microsoft 365 admin center. Sign in with an account that has Global Administrator or Security Administrator privileges.
- Navigate to Identity Settings: Once logged in, on the left-hand navigation pane, expand the "Show all" option if necessary, then click on Identity.
- Access Overview Properties: Within the Identity section, select Overview, and then choose Properties.
- Manage Security Defaults: Scroll down to the bottom of the "Properties" page. You will find a link titled "Manage security defaults"; click on this link.
- Disable Security Defaults: A fly-out pane will appear. On this pane, select the Disabled option.
- Provide a Reason and Save: You will be prompted to choose a reason for disabling security defaults. Select the most appropriate reason from the dropdown list (e.g., "I have Conditional Access policies configured"). After selecting a reason, click Save.
- Confirm Disabling: A confirmation prompt will appear, asking you to confirm your decision. Click "Disable" to finalize the change.
Once confirmed, security defaults will be turned off for your Microsoft 365 tenant.
Understanding Security Defaults
Security defaults are a set of basic security policies pre-enabled in all new Microsoft Entra ID tenants to help protect organizations from common attacks. They enforce:
- Multi-Factor Authentication (MFA): All users are required to register for and use MFA.
- Disabled Legacy Authentication: Protocols like POP3, IMAP4, and SMTP that don't support MFA are blocked.
- Protection of Administrative Activities: Admins are required to perform MFA every time they sign in.
- Require MFA for all users: Users are required to provide MFA when necessary.
While beneficial for immediate protection, they offer a "one-size-fits-all" approach.
Why You Might Disable Them
Organizations typically disable security defaults for the following reasons:
- Implementing Conditional Access Policies: For more granular control, organizations switch to Microsoft Entra Conditional Access policies. This allows tailoring security requirements based on user, location, device, application, and risk factors.
- Specific Business Requirements: Certain legacy applications or services may not be compatible with the strict rules enforced by security defaults (e.g., legacy authentication protocols), requiring a more customized approach.
- Staged Rollout of MFA: While not recommended for long-term, some organizations might temporarily disable defaults to roll out MFA to user groups in phases using Conditional Access.
Security Defaults vs. Conditional Access Policies
It's crucial to understand the difference between security defaults and Conditional Access:
| Feature | Security Defaults | Conditional Access Policies |
|---|---|---|
| Purpose | Baseline security for all tenants. | Granular, customizable policy enforcement. |
| Configuration | On/Off toggle. No customization. | Highly customizable rules (if, then, else conditions). |
| MFA Enforcement | All users, all scenarios (with some exceptions). | Specific users/groups, locations, devices, apps. |
| Licensing | Included with all Microsoft 365 subscriptions. | Requires Microsoft Entra ID P1 or P2 license. |
| Flexibility | Low. | High. |
| Recommended Usage | Small organizations without complex needs or licenses. | Organizations needing tailored, risk-based security. |
Best Practices After Disabling Security Defaults
Disabling security defaults without a replacement strategy leaves your tenant vulnerable. It is strongly advised to immediately implement Conditional Access policies that meet or exceed the security posture provided by security defaults.
Here are essential considerations:
- Implement MFA for All Users: Create Conditional Access policies to enforce MFA for all users, or at least for high-risk users and administrative roles.
- Block Legacy Authentication: Configure a Conditional Access policy to block clients using legacy authentication protocols.
- Require Compliant Devices: Enforce that users access corporate resources only from devices that meet your organization's compliance standards.
- Location-Based Access: Restrict access to corporate resources from untrusted or high-risk geographic locations.
- Monitor Sign-in Risks: Use Conditional Access with Identity Protection to respond to risky sign-ins (e.g., requiring password changes or MFA challenges for unusual sign-in activities).
By carefully planning and implementing a robust Conditional Access strategy, you can achieve a higher level of security tailored to your organization's specific needs after disabling security defaults.
